U.S. businesses that handle personal information about individuals living in European Union countries should be aware that, as a general rule, it is unlawful for them to transfer that data out of the European Union to the United States. Exceptions to this general prohibition apply in specified circumstances, that is, where there is consent to the transfer or where there is some assurance that U.S. businesses will comply with the transfers requirements of EU privacy laws when handling that information. These restrictions apply to U.S. businesses that have employees or customers in EU countries, as well as U.S. businesses that operate Web sites in the United States that collect information from individuals accessing their sites from the European Union. In 2000, the United States and the European Union entered into a “Safe Harbor Agreement” in order to improve U.S. businesses’ compliance with EU privacy laws while minimizing the risk to U.S. businesses of enforcement actions brought against them by EU regulators for privacy law violations. U.S. businesses that decide to participate in the Safe Harbor are subject only to enforcement actions by U.S. regulators if they fail to comply with Safe Harbor requirements. Another compliance strategy open to U.S. businesses is to include standard privacy terms in contracts for transactions involving the transfer of personal information about EU individuals to the United States that provide privacy guarantees and explicitly subject the business to the jurisdiction of EU privacy regulators. In October 2004, the EU Commission released a report that reiterates the EU commitment to working with the United States within the framework of the Safe Harbor, notwithstanding the apparent lack of success of either the Safe Harbor or the contract terms compliance strategies.
Sylvia M. Kierkegaard,
Safe Harbor Agreement—Boon or Bane?,
1 Shidler J. L. Com. & Tech.
Available at: https://digitalcommons.law.uw.edu/wjlta/vol1/iss3/2